CVE-2023-23922

2023-02-1720:15:11

CWE-79

[email protected]

web.nvd.nist.gov

cve

2023

23922

xss

vulnerability

moodle

blog search

nvd

cross-site scripting

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.0%

JSON

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in blog search. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website. This flaw allows a remote attacker to perform cross-site scripting (XSS) attacks.

Affected configurations

NVD

Node

moodlemoodleRange4.0.0–4.0.6

moodlemoodleMatch4.1.0-

CPENameOperatorVersion
moodle:moodlemoodlelt4.0.6
moodle:moodlemoodleeq4.1.0

CPE	Name	Operator	Version
moodle:moodle	moodle	lt	4.0.6
moodle:moodle	moodle	eq	4.1.0

CNA Affected

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "4.1.0",
        "lessThan": "4.1.1",
        "versionType": "semver"
      },
      {
        "status": "affected",
        "version": "4.0.0",
        "lessThan": "4.0.6",
        "versionType": "semver"
      }
    ],
    "packageName": "moodle",
    "collectionURL": "https://git.moodle.org",
    "defaultStatus": "unaffected"
  }
]